Skip Navigation
 
 

NAIDnotes Archives

Thursday December 27, 2012

A New Year’s wish for you

By Bob Johnson, NAID CEO

It is normal to feel a renewed sense of ambition and optimism at the start of a new year. I know I do. And, from all appearances, it seems pretty universal.

Marketers certainly think so, especially those offering products or services designed to turn our lives around. For instance, it’s no accident that physical fitness and weight loss programs own the infomercial airwaves. And, it’s no coincidence gym memberships skyrocket in January every year. Sure, it doesn’t hurt that the holidays may have added a few pounds but that’s just icing on the cake. At the heart of it, is the fact that the new year represents a chance for a fresh start. 

I often consider myself lucky to work with so many good business people. In general, I find them to be generous, fair, action-oriented risk-takers who, while fiscally conservative, are more than willing to help anyone as long as that person is willing to help themselves. They also tend to have the capacity to see things as they are and not as they wish them to be. They are able to assess their personal strengths and weaknesses honestly as well as those of their businesses.

This capacity to be compassionately honest with oneself may be the single most critical ingredient to being a successful business person and it is rare among humans. Personally, I find it refreshing to work with so many for whom this trait is required. You see those who lack this capacity don’t last very long in our business (or any other business for that matter).

I started this entry by noting the renewed sense of ambition and optimism that I and many others feel this time of year. For me, this time of year also leads to a lot of introspection and self-evaluation. I suspect that’s the same for most of you.

My New Year’s wish for you is that you take your capacity to be sincerely honest with yourself, combined with the sense of ambition and renewal that naturally comes with the first of the year, and commit to make one or two small changes for the better.

There are few things taken less seriously than the infamous New Year’s resolution. To declare something as such is almost a guarantee that nothing will change long term, for most people anyway. But, you are not “most people.” Your success as a business person has already proven that.

Keywords:

Comments: 0 | Reply

Thursday December 20, 2012

Protect your reputation: Distinguishing between puffery and a lie

By Bob Johnson, NAID CEO

In most industries, a good reputation is paramount to meaningful sustained success. It just so happens that in the secure destruction industry there is still a lot of customer (and service provider) confusion about what the laws require. Unfortunately, that confusion creates an environment that tempts service providers to capitalize on that confusion.

One small example, and in my mind not all that harmful, is when a service provider claims to be HIPAA compliant. Now, I assume they are HIPAA compliant if they meet the requirements of the security and privacy rules, which is now legally required. In reality, however, that is not what they really mean to say, since that has no benefit necessarily to the client. Usually, what they are trying to convey is better stated as “our service can help your organization be HIPAA compliant,” which is a lot more important to the HIPAA covered entity. Still, I would say no harm, no foul.

Even less troubling to me is when a service provider says something like “The leading secure destruction service in the state.” Obviously, there are a hundred ways to defend that statement (i.e., leading in what?). Beyond that, most customers see such a statement for what it is: marketing puffery.

On the other hand, confusion in the marketplace lends itself to other, much more troubling misrepresentations, some of which actually put the customer at risk. One such situation is when the customer decides to use a service based on a false claim about the service provider’s qualifications. For instance, if a website indicates to customers that the services being offered meet some level of advanced scrutiny (as required by law) but they have not, then that’s a lie and one that could get the customer in trouble.

There are also lies of omission, say for instance, when a service is being outsourced without the customer’s knowledge. This sets up another scenario where the customer could be left hanging. Legally, they are responsible to have a system to validate the service provider’s capabilities, which is not possible if it is outsourced without their knowledge.

In his book “Powerful Times,” Eamonn Kelly explains that we live in a period where we should expect that anything we do that is shady or embarrassing will eventually come to light. So, while it is preferable to be truthful because it is ethical, the reality is that doing so is also a matter of survival. Recovering from the public disrepute is usually not in the cards, especially in a business where trust is the ultimate currency.

Keywords:

Comments: 0 | Reply

Tuesday December 18, 2012

Why it is important to conduct a personal, year-end inventory

By Bob Johnson, NAID CEO

Most entrepreneurs are prone to action. That’s not to say they aren’t also analytical because obviously they have to be. In fact, success comes at the point where effective analysis meets effective action. If there is too much analysis and too little action, you end up with nothing. Too much action without sufficient analysis and you end up with nothing in your bank account. 

But I find that this time of year lends itself to another kind of analysis for me. I tend to get a little introspective. What was my role in my disappointments and successes this year? In the heat of battle, it is often easiest to see how circumstances or other people were responsible for your problems. In “How to Win Friends and Influence People,” this is the first principle that Dale Carnegie covers. It is human nature to attribute mistakes to forces outside of your control. From an intellectual perspective, however, I think we all know that is not true.

And, believe it or not, that is actually good news. If we are simply victims, there is not much we can do about our futures. The fact that we have a significant role in our current and future circumstances holds the promise that we can do something to make it better.

Only you can analyze your role in determining where your secure destruction company or career currently stands. Did you study the literature or were you too busy putting out fires? Did you invest in your training and education or did you rely on the fact that you knew it all? Did you seriously invest in customer training and education or did you leave them to be poached by competitors?

The good news is that no matter how you evaluate your role in your firm’s success up until now, we are about to enter a new year. The reason to evaluate your role is not to beat yourself up but rather to determine how you can improve things. The point is, you cannot move in the right direction without doing the analysis first.

Keywords:

Comments: 0 | Reply

Thursday December 13, 2012

Industry pros take CSDS exam to better serve customers

By Bob Johnson, NAID CEO

In Boston this morning, a group of secure destruction professionals took the Certified Secure Destruction Specialist (CSDS) Examination. It was the second such exam held this year and will be followed by several other regional exams over the next couple of months. 

I have the utmost respect for these industry professionals. Instead of just complaining about customers who only care about price, they are doing something about it. It is not a silver bullet. It is not as if they now will be able to magically change customers into careful buyers but at least they have a chance. These professionals will be in a better position to meet customers’ needs and interact with customers more effectively because they will be more confident.

Earlier this week, I posted a tweet stating, “For 99.9% of customers, data destruction is 0.01% of their job.” Now, you can dispute my percentages all you want, but the gist is no less valid. 

When you get a call from a shopper, how are they supposed to know what to ask you about besides price? They have no idea of the regulatory requirement to make sure their service provider has adequate security. Heck, even if they knew of the regulatory requirement, they wouldn’t know what to ask. They are not supposed to know. It’s not their job to know, it’s yours. And, it is your responsibility to explain it or at least try. We all know shoppers usually don’t want to hear it. From their perspective you’re just trying to get in their pockets and so they dismiss what you say. To that I say, so what. You still try. After all, it’s the truth and you are acting in their best interest by telling them.

Further, when faced with the question that’s blatantly focused on your pricing, a customer needs to hear someone respond with, “I understand why pricing would be the first thing on your mind but to make your selection process, legally you should be asking a few other question too. Would you like to know the other questions you should be asking to make your selection process legal?” If they say no, you at least exercised your responsibility as a secure destruction professional. If they say yes, you can continue to talk and you are one step closer to a customer that is worth having.

By the way, NAID is working on a new brochure under the working title “It is illegal to hire a data destruction company based only on price.” While such brochures have their limitations, it will give your response credibility given it has been generated by an authority outside your business. The estimated release date for this brochure is Feb. 15, 2013. Read NAID’s e-newsletter, NAIDDirect, to learn more.

 

Keywords:

Comments: 0 | Reply

Tuesday December 11, 2012

Are you getting the most from residential markets?

By Bob Johnson, NAID CEO

Last year the majority of NAID conference attendees overlooked what turned out to be one of the best sessions at the event. To be fair, it was not really their fault. This session was added at the last minute and it was held at 6:30 a.m. in the morning. That’s right, 6:30 a.m. In fact, it was a two-part session, held at 6:30 a.m. on both Saturday and Sunday. 

Nonetheless, the session exploring the residential market for secure destruction did attract about 30 hearty souls. Without exception, they ranked the session among the most valuable at the conference. Several people expressed to me that it was the most valuable session they ever attended at any NAID conference.

Even with 30 plus years in this industry, I heard creative and innovative ideas at that session that bowled me over. I found myself saying, “Holy moly, that is brilliant. I can’t believe I haven’t heard of anyone doing that after all this time.”

Several of those sharing ideas had been so successful pursuing the residential market for shredding that, taken as a whole, it was one of their top five customers and was far and away the most profitable. With this in mind, you can understand why I am so excited about hosting a similar session at NAID 2013. At a time when competition for commercial accounts has turned cutthroat, the residential market represents a vast, untapped reservoir of millions of small accounts no one is chasing.

Sure, it is high hanging fruit but capturing it is worth stretching a bit. My goal is for this session in Nashville to dramatically change attendees’ perspective on this market. For the most part, it is just sitting there, waiting for you to recognize it.

Keywords:

Comments: 1 | Reply

   Mike Sullivan    December 27, 2012 11:02 am | Reply | 0 Agree | Flag Abusive

I am very much looking forward to this session as the residential market has been on our radar. Now the question is, what is the best approach to tackling it?

Thursday December 6, 2012

Observations of the paperless office, Part 2

By Bob Johnson, NAID CEO

In my last post, I described how a recent article about the decrease in business communications paper drew its conclusion from flawed evidence. In case you missed that post or the article, the author pointed to an overall decrease in all paper consumption to prove his point. The graph included things like cardboard, newspaper and tissue, instead of limiting the graph to office paper. Those other categories have decreased substantially more that office paper. I suggest you read last Tuesday’s post if you want a fuller explanation.

As a follow-up, today I will confront the issue more directly. Specifically, I want to discuss whether there is less office paper being consumed today, the impact on consumption, and how it will affect our industry medium- and long-term.

There are a number of factors affecting office paper consumption, some are linear trends others are cyclical. For instance, the economy is a cyclical trend. When the economy dips, business slows and consumption decreases. On the other hand, the push for electronic health records is a linear trend. While there has been a downturn in the overall consumption of office paper in some sectors due to increased reliance on electronic documents, any noticeable decrease of office paper consumption over the last couple of years is more about the economic slowdown than the long-term trend. That is not to say that the long-term trend is not real because it is. It is simply not progressing fast enough under normal circumstances to be dramatically noticeable over a few years.

With that said and the current economy being what it is, let’s focus on the long-term trend. As I said, it is undeniable that some business sectors are trending toward using less paper. It is also true that most businesses and, in some cases the government, aspire to become paperless offices. However, as we all know, early attempts to create electronic-centric offices resulted in consumption of even more paper because everyone printed backups, and for good reason. Consider that electronic records and the databases required to make them work are the cause of the thousands of data breaches reported annually. In fact, data security is the main source of opposition to the governments push for electronic health records.

Then, there are the issues of record longevity and migration. 

Electronically stored records are nowhere near as resilient as paper. In fact, solid state device memory storage, which is the way computing is heading, is currently not reliable for storing data past five years. Yes, magnetic tape and microfilm provide longer term options, but the expense is often not enough to justify turning away from paper. Consider too that electronic storage will inevitably result in data migration challenges. As equipment and operating systems evolve, at some point, long-term data may have to be converted or transferred to another system or media format because the old versions will no longer be supported.

Of course, there are other issues that will prolong the use of business communications paper as well. None of this means we are not moving to electronic-centric systems, we are. It only means there are still a lot of challenges that are impeding the trend and it is not likely to happen in the near future. Again, readers should be careful not to attribute the reduction of paper due to the economic downturn with any long-term trend toward electronic records.

Now let’s look at it from the secure destruction perspective, specifically paper shredding. I know many people in the secure destruction industry would argue with me when I say there is still a large, unvended opportunity out there but I maintain there is. Yes, it is the proverbial high hanging fruit but it is there. It includes tens of thousands of doctors’ offices, for instance, and hundreds of thousands of medium and small businesses that do not outsource destruction of their daily paper waste. Put another way, U.S. businesses consume upwards of eight million tons of business communications paper per year. I promise you our industry is not destroying half that amount. Seems to me like there’s plenty of room for growth and decades of opportunity lie ahead.

And, let’s not forget about the decades of stored records. ARMA International once estimated that 22 percent of all office paper ends up in boxes on shelves. Not only are there millions of tons of paper records currently being stored, paper records continue to be the method used by the vast majority of businesses. Sure large Fortune 1,000 and others are transitioning, but they are in the minority at this time.

Do I think the use of electronic records is increasing? Yes. Does the fact that it has not created the paperless office yet in any meaningful way mean it never will? No. But everything I see tells me the transition to electronic records will take decades to unfold and paper will continue to play a role in documenting business transactions for the rest of my life.

Keywords:

Comments: 0 | Reply

Thursday November 29, 2012

Misreading the signals: Observations of the paperless office

By Bob Johnson, NAID CEO

Recently, an article about the paperless office has been floating around Twitter and Facebook at bit.ly/XZE88B. Naturally, this type of article gets a lot of attention in our industry for obvious reasons. While as much as 35 percent of NAID members now generate revenue from electronic data destruction, paper shredding remains the primary business for more than 85 percent of all members.

The article above contains what could be a very disturbing graph to those in our industry who do not understand it. It shows a dramatic downturn in the consumption of paper in the U.S. over the last five years. The problem is not that the graph is inaccurate; it is that the graph is measuring the wrong thing or, better said, too many things.

The graph shows consumption of all paper everywhere when all our industry needs to consider is business communications paper. In fact, at its height, business communications paper only represented 9 percent of all paper consumption in the U.S. (a little over 9 million tons a year). The graph shows a decrease from approximately 100 million tons per year. That’s because the author is including cardboard, newspaper, printing paper, tissue, paper towels, and about a dozen other minor uses of pulp and paper products.

Cardboard consumption, the production of which is used as a key economic indicator, hit a wall when the global economic downturn hit. And, do I really have to explain what has happened to newspapers over the last decade? The decrease in consumption of these uses of paper has been vastly more significant to the overall consumption of paper, than any decrease in the consumption of business communications paper.

Now, there is no denying that the consumption of business communications paper – that stuff we shred – is declining somewhat. That decline is most dramatic in Fortune 1000s and a limited number of sectors. And, the decrease is likely to affect those who store paper records more than it will affect those who shred paper records. 

That being said, there is no inevitable “cliff” (fiscal or otherwise) toward which we are all marching. There are decades of opportunity left to those who prepare themselves. I’ll defend that proposition in next Tuesday’s NAIDnotes so come back here to read more. Have a great weekend.

 

Comments: 0 | Reply

Tuesday November 27, 2012

The holiday season presents often overlooked opportunities

By Bob Johnson, NAID CEO

First, let me say that I understand that for many people, including me, the holidays have a deep significance that is often lost in materialistic concerns and pursuits. My comments today are not designed to contradict or capitalize on that meaning. From a practical perspective, however, the holidays represent a time of reflection, warmth and renewal, and there is no reason to overlook the obvious opportunities they present.

The most obvious opportunity the holidays represent is the strengthening of client relationships. I suggest a handwritten card sharing with the client how much their trust in your firm has meant to you, your employees and their families. Keep in mind, it has to be genuine or it can back fire. The words in the card should not overstate the extent of the relationship. Even if you have never met the contact, you can still write a nice note stating how much you appreciate their support and how seriously you take your responsibility. Don’t have the time? Baloney! It might be the most important note you send all year so it is worth however long it takes. Obviously, you will not do this for every account but I recommend erring on the side of overdoing it rather than underdoing it. I would include more than a few prospects in that list as well. Not that you will be thanking them for their trust, but rather acknowledging them for their time over the last year.

The second, often overlooked, opportunity has to do with the New Year. Marketers have long known that the beginning of the year is a time when people think about changing the way they do things. We all know there are times of the year when people are more and less likely to take action. Since we know that January marks the beginning of a period when decisions are more likely to be made and people are more open to change, now is the time to start preparing. The Doctors’ Office Marketing Program and the Customer Employee Training Program are examples of NAID initiatives to roll out during that time. But that’s not the point. The point is that you could be making plans now. Will you push hard for purge business? Will you pursue the residential market with a campaign timed to coincide with the personal tax filing deadline? Will you aggressively pursue route density?

Lastly, if your business is like most, your employees have become part of your extended family. Please make sure you let your staff know how much you appreciate them — not from a Machiavellian ulterior motive, but a true and genuine place.

Comments: 0 | Reply

Tuesday November 20, 2012

Giving thanks for NAID and its members

By Bob Johnson, NAID CEO

Ok, it is not very original or creative to write about gratitude on Thanksgiving Day but here I go.

Though celebrated on different days and in different ways, the holiday has been around for thousands of years. The Horn of Plenty is actually a symbol from Greek mythology. The turkey symbolizes the Pagan worship of the sun. The pumpkin, when eaten, was thought to give powers. Corn, also a big part of the traditional celebration, is an ancient symbol for the mother or queen of heaven.

It was actually brought to North America by the pilgrims from Europe, where it had adopted a more Christian perspective. Canada has its version too, which is celebrated earlier in the year. The celebration in the U.S., which first appeared in 1621, was originally a three-day festival, just as it had been in ancient Rome thousands of years before.

As it turns out, humans have a long history of celebrating their gratitude. Unlike fear, an emotion apparent in virtually every animal, the ability to experience deep appreciation and express thanks for the good things life brings us is uniquely human. I suppose it is a lot like humor in that regard.

In a weird way, it is as though we are really being grateful for the capacity to be grateful. So, it is with my colleagues across the U.S., and those around the world who celebrate a similar holiday, that I will take time this Thursday to exercise my uniquely human capacity to appreciate and give thanks for my incredibly good fortune.

Know too that when I gather with my loved ones on that day, among the things for which I will be giving thanks are the hundreds of secure data destruction professionals who have trusted NAID to help improve their industry, the NAID staff who put their hearts into their jobs, and the hundreds of friends that have resulted from that pursuit.

Keywords:
  • appreciation
  • corn
  • grateful
  • gratitude
  • naid
  • naidnotes
  • pilgrims
  • pumpkin
  • thanksgiving
  • turkey

Comments: 0 | Reply

Thursday November 15, 2012

Economic challenges and predications of disaster are nothing new

By Bob Johnson, NAID CEO

As long as history has been recorded, economic and social worrywarts have been predicting social and economic collapse.

Recently, I read an article about the imminent collapse of civilization due to the decay of social morals and the rise of materialism, government corruption, and personal greed. It sounded like it could have been written yesterday but, in fact, it was written more than 3,000 years ago.

Why have these predictions been around so long? While I am not a sociologist or psychologist, I do have a theory. It is because these predictions strike at one of our core emotions: fear. I also believe it has a lot to do with the outgoing, usually more conservative generation who have a natural discomfort with the upcoming generation in a new world they do not understand.

Several issues ago, Wired magazine had a cover story on this very subject. While the article discussed how and why sensational stories of economic and social disaster have been around forever, it also points out how and why such predictions have not materialized. I am not saying we don’t have problems that we need to take seriously. I am only saying we have good reason to think we can overcome them or adapt to them.

Here is just one example. Some readers are old enough to remember the oil crisis of the 1970s. We were told the supply would run out. We were afraid for our lives. Last week, the Financial Times reported that the U.S. has more oil reserves than Saudi Arabia that are being unlocked with new technology. Unlocking these oil reserves and tapping more natural gas reserves will allow the U.S. to become self-sufficient in the next five years, maybe even a net exporter. Due to other technological advances and increased political will, it is also very likely these fossil fuels will be used with negligible environmental impact. 

Yes, civilizations fall. Yes, there will always be economic downturns that affect a significant percentage of vulnerable people. Yes, a lot of challenges face the human race. However, based on human history, the most practical sentiment is to be optimistic. The most sensible action is to work hard toward our attainable goals and make the world a better place.

 

 

Keywords:

Comments: 0 | Reply

Tuesday November 13, 2012

In-house destruction puts the fox in charge of the hen house

By Bob Johnson, NAID CEO

Most NAID members know that I was in the secure destruction business for 14 years prior to founding NAID. While the marketplace has changed immensely in the 19 years since, my time in the trenches when the industry was very young showed me the value of outsourcing.

For instance, in 1986, I did a sales call at the labor relations department of one of the Big Three automakers in Detroit, Mich. Labor relations is obviously a huge issue for automakers since its main purpose is negotiating with the labor unions. Not only are they responsible for negotiating the main contracts, they are also involved in settling hundreds of disputes every year. This particular department was not housed in the company’s headquarters. I do not know if that was by design or for space reasons. Of course, I was also calling on the automaker’s headquarters, which was currently destroying about four tons of paper a day in house. 

On the sales call with the labor relations department representatives, I faced an uphill battle. They were getting the destruction provided by the headquarters for free. Unlike other companies, there was not an internal charge-back system in place.

The meeting was almost over when it occurred to me they might want to rethink their program.

You see, in my pursuit of the headquarters, I was informed that in order for my company to provide services, I would have to employ union workers. Per their contract, every non-management position at the headquarters was unionized. It turned out that the labor relations department had been sending their discarded paperwork to the union workers in the basement of the headquarters for more than a decade. When I raised this point in the meeting, my contact turned white, picked up the phone, and stopped the procedure on the spot. We got the business.

As I said, this is a dramatic and acute example of a situation where employees should not have been involved in the destruction process. As a result, it was easier for them to see the practice was insane. Most organizations that still have in-house destruction programs have similar issues. Although the issues may not be as clear cut as with the automaker, in general, employees are not the most qualified. 

Think about it. Employees have a working knowledge of the company and are in an excellent position to comprehend the information they are destroying. When it comes to personnel issues (e.g., salaries, health or disciplinary issues), the employees might know the people involved or gossip about the information. 

Outsourcing information destruction services has long established itself as a more efficient and convenient alternative. Not too many customers realize that by taking employees out of the equation, outsourcing is more secure.

Comments: 1 | Reply

   Rick Metz    November 14, 2012 11:02 am | Reply | 0 Agree | Flag Abusive

I agree with your points - most businesses don't see the risk of their method until it is viewed from an outsiders point of view. I tried for several years to convince a local manufacturer about the risks of shredding in-house and then giving the shreds to local farmers. That system worked great for them until a bag fell from the farmers pick-up truck and split open on the highway. It exposed hundreds of employees records, including SS numbers, in strip-cut, easy-to-reconstruct pieces. It was an amazing coincidence that I traveled up the same highway just moments after this occurred. To make a long story short, they are now very satisfied customers.

I also met with a college who uses students to shred other student financial and academic records as a work study program. They house the shredder under a stairwell to reduce the noise and the students work alone as they hand feed the sheets into the shredder. The shreds are bagged and thrown into a dumpster. Unfortunately, they decided that offering this chance at an on-campus job was more important than the security of outsourcing. The best thing we can do is continue to educate about the risks of inadequate data protection.

Thursday November 8, 2012

What do you do when a customer calls with wet paper?

By Bob Johnson, NAID CEO

Last week, NAID issued a press release offering advice to organizations that may have been left with wet paper records after Hurricane Sandy. The main purpose of the release was to provide advice on the legalities of discarding damaged records that were still within their retention period. The release provided a link to another NAID article describing the steps required to document that the records had been destroyed by an act of God, unrecoverable and then subsequently destroyed. Also, the release included a link to another NAID article on the hazards of mold that could develop in damp records.

The articles included in the press release referred readers to NAID members to assist in the secure disposal of any wet records. Quite understandably, we heard from a few NAID members who saw the release and reminded us that it is not possible to shred wet records.

For the record, members should not try to shred wet records. But, I do believe that when a customer or prospect comes to you with this problem, you can provide solutions and make a respectable profit doing so. I also believe that in unusual situations, providing unusual solutions can result in good margins, new customers, and stronger customer loyalty.

Since a blog is not well suited for a detailed exploration of all the possible scenarios that could lead to soaked records, let’s take an extreme case: a basement full of stored paper records is filled with floodwater. Since we are dealing with an extreme situation, let’s say the water includes sewer backwash, in other words, it’s a health issue too. So, we’re not just talking about a potential data protection issue; it could be a hazardous waste issue too.

With all that said, I still say the secure destruction professional could take on this project for a customer who is willing to pay. They came to you because they have records to discard and they want an expert in records disposal to help them. Anyone who says, “Sorry, not interested. We don’t shred wet records.” is actually saying, "We’re not actually an expert records disposal company. We’re a just a company that owns a shredder.”

That being said, you would have to approach this situation correctly.

  1. You survey the situation and determine how you are going to help them.
  2. They receive your letter, confirming that not only do they have wet records that are likely to have data protection requirements, they also likely have a biohazard issue. Unless, the records are disposed of properly, they have a substantial risk. 
  3. You propose to have a licensed hazard waste removal company remove the materials and oversee a disposal solution that will provide a reasonable level of data security given the unusual circumstances. 
  4. You could also provide them with legal documentation to establish records that were still within their retention period, which will also allow them to recover the fees from their insurance company. 
  5. The estimated cost of the service would be $___________.

You provided a compelling reason for them to enlist your expertise and you reminded them their insurance may pay for it. You quoted a price that is enough to make it worth all the extra work. If they say no, what have you lost? You’ve offered a solution. You may have outsourced the whole project, but you were there with your expertise and integrity to make sure it was done as well as possible. 

Where is the paper going to go? It could go to an incinerator, a paper mill, or even to the landfill, if necessary. Remember, regulations require a reasonable solution. If it cannot be shredded, the circumstances allow for the best practical options available in light of the extreme situation. Outrageous circumstances are taken into consideration. No court is going to rule any differently. By the way, if the paper is soaked, it will be nothing but mush by the time it is buried at the landfill anyway.

Again, the exact circumstances could vary wildly. Let’s go to a less extreme situation. They could have 50 boxes soaked by a plumbing leak (clean water). In this case, you could bring them to a secure plant and mix a little bit of wet paper with a higher proportion of dry paper when you shred it. Or, you let it dry for two months, and then shred it.

The question is: Are you a secure data disposal company willing to help clients with their data destruction problems even when they are extreme, or are you a person that owns a shredder?

If a customer is willing to let you make good money, why not provide a solution?

Keywords:

Comments: 0 | Reply

Thursday November 1, 2012

Take note of two upcoming events

By Bob Johnson, NAID CEO

Understandably, NAID members look to the association as a source of education. NAID takes this responsibility very seriously and member feedback tells us we’re doing a pretty good job so far. From the extreme intensity of Certified Secure Destruction Specialist (CSDS) training, the very successful free Summer School Webinar Series, the quarterly journal NAIDnews, and the bimonthly e-bulletin NAIDDirect, this educational content comes in many forms. 

Of course, NAID is not the only source of quality education that is useful to its members. If fact, in today’s blog I want to bring your attention to two non-NAID events that have some very relevant and useful content.

First, I want to mention the upcoming Sales and Operations Workshop offered by Shred School in Las Vegas, Nev., Nov.14-16. Not only does this represent a golden opportunity to improve your business operations, it marks that last opportunity to attend a Shred School event under the leadership of Ray Barry. As readers may already know, Ray has accepted a position as Vice President of Sales in the Eastern Region at Access Information Management. Therefore, he will phase out his leadership of Shred School after this event. There is a reason Access hired Ray, and this is a great opportunity for you to see why. As it happens, I’ll be making the short trip to Las Vegas myself to visit with colleaguesas well as hear from Ray and Greg.

The second event I’d like to highlight is PRISM International’s upcoming workshop titled Commercial Information Services of the 21st Century – The Fundamentals. It will be held on Dec. 4-5, at the Arizona Biltmore here in Phoenix, Ariz. For any secure destruction service provider evaluating whether to diversify into records and information management (or that already had diversified), this conference is certainly worth the time and money. In fact, when you consider the combined experience of the presenters at this workshop, it’s a steal.

These are two quality events that are well worth your consideration.

Comments: 0 | Reply

Tuesday October 30, 2012

How NAID Certification relates to PCI compliance

By Bob Johnson, NAID CEO

In 2006, the five largest credit card companies formed the Payment Card Industry (PCI) Security Standards Council as a self-policing data security initiative designed to quell calls for government intervention prompted by the increasing number of large data breaches and identity theft. 

To that end, PCI quickly produced its Data Security Standards (PCI-DSS) to protect cardholder information, which is now in its second iteration. Merchants, who accept credit cards from the founding members of PCI, are required to meet the PCI-DSS. Companies that process credit card transactions as intermediaries between the merchants and the credit card companies are also required to meet PCI-DSS. Processors are usually banks or credit card transaction clearinghouses. Although very large merchants and processors are required to undergo an audit to establish PCI-DSS compliance, the overwhelming majority are allowed to self-certify.

Although it is not a government agency or initiative, PCI derives its clout from the founding members’ ability to deny merchants and processors the ability to accept their credit cards. Both merchants and processors may allow access to cardholder information to subcontractors that work on their IT systems, act as billing agents, and do other similar activities. PCI holds merchants and processors responsible for the PCI-DSS compliance of these downstream organizations as well. Again, the program is far more dependent on self-certification in the vast majority of cases.

These subcontractors are not considered merchants or processors. They do not conduct credit card transactions in any way and often, as is the case with data destruction companies, the PCI-DSS requirements have extremely limited application. In fact, PCI-DSS only applies to data destruction companies it two areas:

  • The overall security issues that apply to all vendors, such as access control, including employee screening, training, policies and physical security. All of these areas are addressed and validated by NAID AAA Certification.
  • The media destruction specifications state the following:
  • 9.10.1.a: Verify that hard copy materials are crosscut shredded, incinerated, or pulped such that there is reasonable assurance the hard-copy materials cannot be reconstructed.
  • 9.10.1.b: Examine storage containers used for information to be destroyed to verify that the containers are secured. For example, verify that a-to-be-shred container has a lock preventing access to its contents.
  • 9.10.2: Verify that cardholder data on electronic media is rendered unrecoverable via a secure wipe program in accordance with industry-accepted standards for secure deletion, or otherwise physically destroying the media (e.g., degaussing).

NAID AAA Certification audits verify compliance with each of these points, and, in so doing, provide de facto validation that service providers who have achieved NAID Certification are compliant with the standard.

While it is true that NAID Certification does not require cross-cut shredding for hard copy records (where both the length and width are limited), many members have such capability. This point is rendered moot, however, because NAID Certification also validates the responsible disposal of all destroyed particles, meaning the particles are pulped in the recycling process and in accordance with PCI-DSS specifications.

With regard to NAID Certification of electronic media destruction, the NAID Certification specification and audits validate both the physical and sanitization process, including random forensic analysis of wiped drives on an unannounced basis.

Keywords:

Comments: 0 | Reply

Thursday October 25, 2012

What’s your personal mission statement?

By Bob Johnson, NAID CEO

Many organizations have mission statements and they come in all sorts of shapes and sizes. At their best, mission statements provide a litmus test for organizational decision making, hypothetically, even guiding the day-to-day decision making and actions of frontline employees. At their worst, they are incoherent ramblings that cover so many bases they end up being incomprehensible and unusable.

Here are few good mission statements from companies that also just happen to be very successful right now.

  • Amazon: Amazon’s vision is to be earth’s most customer-centric company; to build a place where people can come to find and discover anything they might want to buy online.
  • Apple: Apple is committed to bringing the best personal computing experience to students, educators, creative professionals and consumers around the world through its innovative hardware, software and Internet offerings.
  • Google: Google’s mission is to organize the world‘s information and make it universally accessible and useful.

Arguably, for any opportunity or action these companies and their employees consider, all they need to do is ask themselves whether the action is consistent with the stated mission.

As this blog headline suggests, it is not company mission statements I want to discuss. I am here to discuss your personal mission statement. Don’t have one? Neither do I, or at least it’s not written down anywhere. However, I am big fan of the Golden Rule, and it’s hard to dispute that the Ten Commandments offer a pretty good life map. These principles are values and certainly represent the stuff of any good mission statement. Still, those values do not describe specifically how to pursue a career or conduct business.

Why do I think a personal mission statement is important? Well, as best characterized in Tom Adams’ book You are the Logo, we have reached a time when your personal brand is very closely tied to your professional success. Or, stated another way, developing and promoting your personal brand is the best way to attract and retain customers who want to do business with you.

But what would a personal mission statement look like? For me, it could be “To be recognized as one of the most trustworthy and knowledgeable authorities in the field of information destruction.” This does not reduce or conflict with my allegiance to the NAID mission statement, which is “To champion the responsible disposal of discarded sensitive information by promoting the highest ethics and standards.” In fact, it compliments NAID’s mission quite well, which is a critical factor. The other thing it does, though, is challenge me to look at what I do (and don’t do). In theory, any professional task not consistent with my personal mission statement should be challenged. 

How about you? Do you have a personal mission statement? I propose we all should have one if we want to create a personal and company brand that attracts worthwhile customers.

Disclaimer: The personal mission statement concept came to me as I struggled with the focus of my own activities over the last week. I reserve the right to change it after more consideration. I’ll keep you posted.

Keywords:
  • golden rule
  • mission statement
  • naid
  • naidnotes
  • personal brand
  • principles
  • professional brand
  • tom adams
  • values
  • you are the logo

Comments: 1 | Reply

   Jeff Leite    October 31, 2012 12:38 am | Reply | 0 Agree | Flag Abusive

Bob,

I admire your dedication to the development of ethical industry standards of secure data destruction with OPSI (Other People's Sensitive Information) but even more impressive to me, is your devotion to living life within the standards of God's own standards for ethics and treating other people (including their sensitive data) as equally or more important than your own.

In a world where letting it slide and all too frequently, actions don't keep up with promises, your premise for walking the talk and doing it right, is truly a breath of fresh air and an encouragement.

Thank you for sharing your thoughts with us. God bless and keep up the good work,

Jeff Leite
Living Green Recycling

Tuesday October 23, 2012

The real value of NAID Certification

By Bob Johnson, NAID CEO

From any perspective, the NAID AAA Certification Program has been an amazing success. The program will soon certify its 1,000th member location. Also, hundreds of state and federal government agencies recognize it, including a growing number outside the U.S., and tens of thousands of private organizations now require it of their service providers. Over its 12-year history, it has evolved from a three-tiered program based solely on scheduled audits to a single standard based increasingly on unannounced audits. Further, it has expanded from simply certifying paper destruction to a program that now certifies micro media and hard drive destruction operations as well as operations involved in hard drive and solid state drive sanitization for plant and on-site platforms.

Despite its success, about half of NAID member locations are still not certified. Contrary to what many people think, NAID has never disparaged a member that is not certified. All NAID says about non-certified members is that they are not certified. Period. There is no value judgment, just facts. Non-certified members do not subject their operations to the rigorous standards and third-party audits required of the program. In fact, NAID assumes non-certified members are doing what they say and running a secure, ethical business. After all, anything less would be a violation of the NAID Code of Ethics.

When non-certified members are asked why they are not participating in the program, the responses generally fall in two categories. The most common response is they have not gotten around to it but they plan to do so some time in the future. The other response can take many forms but boils down to they do not see the value of getting certified. It is this latter, more troubling, response that I want to address here.

Anyone who says, “I do not see the value,” or “customers don’t seem to know or care about it,” is missing a key point. NAID Certification is something that should be done as a value-added service for customers. Even NAID members that participate in the certification program miss this point.

Any organization hiring a data destruction company is required, by law, to make sure their contractor has the security required to adequately protect their information. Such due diligence could arguably include evaluating and verifying employment screening, employee training, access control and other factors covered by NAID Certification. The regulations also required the customer to make sure the service provider’s policies and procedures have the requisite regulatory linkage. And, the regulations require some system be in place for ongoing audits.

Now ask yourself, how is the average customer supposed to do that? First, they have no knowledge of what to ask or how to evaluate all the factors. Data destruction, though important, is a small sliver of their overall responsibilities and they have neither the time nor expertise to adequately comply with the regulations. That is why when a service provider becomes NAID Certified, they are actually providing a new, value-added service to their clients. The service provider’s NAID Certification provides compliance.

The decision to remain uncertified is like telling the customer, “We are going to leave you on your own for your own due diligence, even though you don’t have a clue that you are required to do so or how to do it.”

So, when I hear a member say, “NAID Certification doesn’t mean anything to the customer,” I respond with, “Then, as a secure destruction professional, why aren’t you telling them what it means to them?”

Keywords:

Comments: 0 | Reply

Thursday October 18, 2012

Security of personal information requires more attention

By Gary Dickson, Q.C., Saskatchewan Information and Privacy Commissioner

In recent years we have had a number of serious privacy breaches in Saskatchewan. Given the frequency and size of these breaches and the public reaction, there can be no doubt that the people of this province expect that the organizations to which they entrust their personal information in order to obtain health care or other services should respect their privacy and protect their personal information. 

This expectation is apparently shared by many other Canadians. A 2012 survey done for Canada Health Infoway by Ipsos revealed much about the attitudes of citizens to privacy breaches. The Ipsos report stated in part: "specific concerns about unauthorized access and distrust of the computer systems are more common now than in the past." Also, "the results of the survey suggest that public trust in health care professionals to safekeep their personal health information may be softening." The same survey revealed that the measures that most increase the comfort of Canadians when it comes to electronic health records are:

  • Being able to find out who accessed their health record and when (70% “more comfortable”)
  • New legislation making unauthorized access of health records a serious offence (66%)
  • Knowing they would be informed of any breach that occurred (65%)

It is imperative that Canadian organizations that collect, use and disclose personal information pay particular attention to the safe storage and destruction of that information. In April 2011, our office issued the "Advisory for Saskatchewan Health Trustees for Record Disposition." The purpose was to assist all health trustees with their compliance efforts by listing eight steps each of them should take. As an oversight office, in determining what physical, technical and administrative measures are reasonable to safeguard personal information, we are guided by industrial standards and best practices. The work done by NAID has significantly influenced our approach to oversight of not only health trustees but also public bodies.

In our "Investigation Report H-2011-001" dealing with the largest breach in the nine-year history of The Health Information Protection Act, we made extensive use of the tools and standards for appropriate destruction of records that have been developed by NAID and our colleagues in the Ontario Information and Privacy Commissioner office.

We all need to do a better job in recognizing the privacy risk associated with records of personal information that continues until such time as those records are safely and properly destroyed. In that regard,  I am grateful for the workshop provided by NAID and Robert Johnson in Regina Oct. 16. The workshop provided granular, practical information to a diverse group of records managers and privacy officers in Saskatchewan. The feedback on the quality of the presentation and materials has been excellent.

Keywords:

Comments: 0 | Reply

Tuesday October 16, 2012

The NAID policy and training workshops are a big deal, and here’s why

By Bob Johnson, NAID CEO

As this NAIDnotes blog entry gets posted, I will be conducting the first ever NAID-Canada Data Destruction Policy and Training Development Workshop for end users in Regina, Saskatchewan.

The audience consists of about 35 information management professionals representing the largest health care providers in the area. Now, I know someone out there is probably thinking, “Only 35 people? That’s not such a big deal.”

But it is a big deal. Just take a minute to think of what you would give to spend half of a day with the information management decision makers at the top 35 health care organizations in your city. And, what if your presentation also had the full backing of the regional information protection authority for your province or state? In Canada, that authority is the Information and Privacy Commissioner and in the U.S. it is the attorney general. And, what if the leader of that regulatory authority opened your session by describing the importance of proper destruction policies and training? And, what if the attendees were so attracted by the offering they each paid $99 to go through the training?

In one morning, NAID will have helped all the top health care organizations in Regina develop their destruction policies and training programs in one fell swoop. It will drastically affect the way the city’s entire health care sector disposes of their paper and IT assets from here forward, including how they evaluate the services they hire to assist them.

Now that’s a big deal. 

Do you know what is an even bigger deal? After years of experimentation, largely conducted by NAID-Canada, NAID has found the recipe to conduct similar events in cities across North America. Keep in mind, Regina, Saskatchewan is a relatively small market. But, with the right local support, the attractive NAID tools (e.g., the Compliance Toolkit, training program, NAID Certification), and the rising stakes of non-compliance, I would be very surprised if you did not see NAID hosting half a dozen workshops in the next year and twice that many the following year.

Now, here’s the thing I really want you to take away from this blog post. There is nothing stopping NAID members from doing the same thing on their own. They have access to everything I do. They have the CTK, they have the training program and video, and they can be NAID Certified. Rest assured, I will be pushing for NAID to conduct as many of these types of events as possible, maybe even partnering with groups of NAID members in specific regions. However, nothing would make me happier than seeing members host similar workshops for their communities.

One way or another, more data destruction policy and training development workshops are in the works. And, no matter how they happen, it will mean good things for NAID members. To see more detail on what NAID is doing in Regina and Toronto, click here.

Keywords:

Comments: 0 | Reply

Thursday October 11, 2012

Common misconceptions about HIPAA and data destruction

By Bob Johnson, NAID CEO

In my blog next Tuesday, I will continue my pricing thread about why secure destruction professionals aren’t willing to do what’s necessary to get out of the commodity rat race. But, today, I am going to mix it up by shedding light on a few Health Insurance Portability and Accountability Act (HIPAA) misconceptions in our industry. Probably the most common HIPAA misconception is that it requires the destruction of protected health information (PHI). It doesn’t. Nowhere in any of the five HIPAA rules does it say a word about data destruction, particle size, or anything about how or where PHI has to be destroyed.

What it says is that covered entities are required to prevent unauthorized access to PHI. That’s it. But even with such a vague directive, it was enough to get health care organizations to outsource their data destruction. Before that, they were simply throwing the records away or selling the paper to a recycler. 

The U.S. Department of Health and Human Services (HHS) gave some direction that they expected data to be destroyed when discarded. Their expectation regarding destruction came when they were asked for an example of what was meant by “physical safeguards to prevent unauthorized access.” The example they provided, completely separate from the law itself, was “for instance, the destruction of discarded PHI.”

Still destruction was not specifically required by the law. In fact, a few years ago, a consultant in the Midwest caused some trouble when he convinced health care organizations they did not have to shred at all. He took the position that recycling was enough because, if done with some control, it still prevented unauthorized access to PHI. He convinced hundreds of organizations they could save a lot of money using this loophole. Eventually, that trend died, although there are still some health care organizations relying on recycling instead of destruction for security.

Now, you might think the Health Information Technology for Economic and Clinical Health (HITECH) amendment to HIPAA added a destruction requirement. It did not. HITECH did, however, add the Health Data Breach Notification provisions, stating that if there was a security breach, the authorities, media, and patients must be notified. Further, it stated that improperly discarded paper and electronic equipment containing PHI would be considered a security breach. HHS later issued guidance that said encrypted or wiped hard drives and paper that was made practicably unreadable would not be considered a security breach when discarded.

In reality, there is no reason for concern over this technicality. Even though data destruction is not specifically required in writing by HIPAA, it is a requirement. Like every other data protection law on the books, HIPAA is based on the reasonableness principle. No one could ever say it was “reasonable” to discard information without destruction and still meet the requirement to prevent unauthorized access to PHI.

It is still important that destruction professionals know the distinction and talk about it correctly in the marketplace. To say HIPAA requires data destruction is not accurate. It is better to say HIPAA requires the prevention of unauthorized access to PHI, which, in turn, necessitates destruction.

It remains to be seen whether clearer requirements for destruction will emerge in the long overdue HITECH Final Rule. You can bet you’ll hear from NAID as soon as it’s published.

Comments: 0 | Reply

Tuesday October 9, 2012

The long road to freedom from price competition

By Bob Johnson, NAID CEO

I’ve been thinking a lot about how to follow up last Tuesday’s blog. To refresh your memory, I discussed how those who use low-ball pricing techniques to compete fail to consider how it comes back to haunt them eventually.

In reality, the downward price cycle is a complicated issue and not one with an easy remedy. First of all, the vast majority of secure destruction providers do actually understand that low-ball pricing is a bad thing. I also think they probably do not see themselves as the primary culprit. They would say that any price cutting they have done was in response to pressure from their competitors. They were dragged into the fray as a last resort. In other words, they are not the ones driving the price down; they are just reacting. In the convoluted overlap that inevitably exists in such markets, it is actually possible, maybe even probable, that no one sees themselves as the cause, yet due to competitive pressure, they are forced to participate.

Rising above the price trap is a process; a process of decreasing reliance on customers who are just shopping a price. I am not saying ignore those calls. You should definitely make a valiant effort to get that business for a reasonable price. But long term, the emphasis needs to be on attracting sales from people interested in working with you. There is a big difference between a phone call from someone who wants your service and someone who just looks for a cheap price. I am only preaching what Ray Barry, Tom Adams, Jeffrey Gitomer, and many others have been saying for years. 

It is not easy to do. In fact, it is really difficult. By comparison, competing on price is significantly easier and that’s why it’s so prevalent. But, ask yourself, when something was easy, did it ever yield a truly valuable result? Someone has to make a conscious, disciplined decision to exert more effort than they are used to if they want to create this type of a business.

And, even then, business will slow and you will not win every battle. In fact, you may still lose most battles. However, you will have a strategy that builds business based on good customers who want to work with you, which means you may not have predominant market share. But you will make money. You will watch your “following” grow and you will have a good business you can sell or pass down to your kids.

The decision is yours. You didn’t start the pricing spiral but you will be trapped if you don’t put effort and discipline into building a stronger customer base. It will take time but there is no better time to start than now.

Keywords:

Comments: 1 | Reply

Thursday October 4, 2012

Are you playing chicken or chess?

By Bob Johnson, NAID CEO

I grew up loving the game of chess. My grandfather taught me how to play.

As most readers may already understand, to succeed at chess, players have to think many moves ahead to anticipate the likely reactions of their competitors. In business, we also have to think ahead and anticipate the wants and needs of our customers.

However, when it comes to pricing services, a “race to the bottom” price strategy flies in the face of this principle. When price is the competitive tool, the player essentially engages in a game of chicken, which means he or she is not thinking long term or considering the competitor’s next move. The player disregards how the other guys in the market will react or defend their businesses and, most likely, retaliates by using the price card against his or her competitors to steal profitable accounts. If the price cutters were really aware of the mess they were creating for themselves, they would see they were actually setting up their own demise.

Also, there are some people who might say they are using price to cull the market. They mistakenly believe they can outlast the market. In their “game of chess,” they plan to play the price card until they have run the other guys out of business. When they are the last man standing, they assume they can adjust their prices back to profitability. This has worked in many industries; however, not in the destruction industry. For instance, with some notable exceptions, most of the significant players that were in the industry 12 years ago have been acquired by consolidators but yet the number of competitors today is higher than ever. If a company decided to spend whatever it took to drive away its competitors, as soon as the price rose to a profitable level, every city in the country would have new competitors within a few months. By thinking ahead and considering your competitors’ possible reactions, you can see the fallacy of the “we’ll be the last guy standing” argument. As one NAID member said to me, “When a competitor uses price to get business, they pee in the pool. The only problem is they have to swim in the same pool.” 

Next Tuesday, I will suggest an alternative to the price strategy so stay tuned.

Comments: 3 | Reply

   Robert Johnson    October 8, 2012 5:13 pm | Reply | 0 Agree | Flag Abusive

About all NAID can do in the pricing arena is educate customers about the importance of due diligence in vendor selection. When I say (or write) that it is illegal to select a data-related vendor on price alone, I am not just trying to be cute. That's a fact and likely the title of the next NAID brochure. As for NAID recommending pricing, that is not possible. The government is very sensitive to trade associations getting involved in pricing. As for suggestions and strategies to rise above the pricing wars, that will be the topic of tomorrow's blog. Keep in mind, if I had a foolproof way of doing that, I would be a billionaire. Still, I have some ideas that are worth considering. I'll look for your assessment of their worth after my next blog is posted midday Tuesday.

   Eric Wartel, CSDS    October 8, 2012 4:46 pm | Reply | 1 Agree | Flag Abusive

Bob and Nick, I agree, but only to a point. As a small startup myself, I have been overwhelmed by the steadfastness of my national competition in the area and what monopoly they have created for themselves over the past 7 years. How else is a new company supposed to get recognition by the customer without jumping into violations of price fixing, or the like, to maintain like-service recognition with the "big boys." NAID, by practice, is supported by small independent companies is it not? Most large national shredding companies were once small correct? As I agree with the small guys "peeing in the pool" being a bad idea, I ask for your advice for countermeasures that we small guys need to survive against the capital-rich national companies. With a common goal in mind - making money - should there not be some open communication from the industry, or NAID, as to what pricing should be by region, or something similar? My national competitor does not speak with me or respect my company, so there is no communication or cooperation. So it is boils down to one frustrating question; what is the smaller company supposed to do if they have nothing else to work with but offer lower pricing for the customer?

   Christopher Bashford    October 5, 2012 4:30 pm | Reply | 0 Agree | Flag Abusive

Bob, very well said. I do believe low balling by upstarts are hurting a lot of us. It is very tempting to go to their rate or cheaper to keep the business. We just have to remember, and it is hard to do at times, they will put themselves out of business. No one can operate an ELITE destruction company at $10-$20 a bin. It is impossible. Those of us who have been doing this for years just have to hang in there and let them "hang" themselves. Hopefully sooner than later.

Tuesday October 2, 2012

The death of solution sales

By Bob Johnson, NAID CEO

A while back, the Harvard Business Review published an article about the death of "solution sales." The article explained that buyers now had access to so much information they no longer sought solutions. According to the authors and their research, generally speaking, customers arrived at their own solution prior to engaging the potential suppliers. Deciding on a supplier had been reduced to identifying the one who could adequately deliver the predetermined solution at the best price.

I do not dispute the finding but I do want to address the danger of this practice. 

The vast majority of buyers have far too much on their plate and far too little time to spend on each item to learn enough about each one to adequately develop a complete and appropriate solution. The problem is they often don't realize that is what they are doing (or they don't want to admit it).

Take destruction services, for instance. A prospective customer, frustrated by employees failing to use the office shredding machine, decides to outsource the task. This customer enters the market with no idea of what qualifications they should require. Their "research" is done on the phone and, armed with no background, may amount to no more than comparing prices.

It is said that a person acting as his own lawyer has a fool for a client. Customers may be coming up with their own solutions without the benefit of providers' input but they rarely serve their organization well in doing so.

Keywords:

Comments: 0 | Reply

Thursday September 27, 2012

Making time for real accomplishment

By Bob Johnson, NAID CEO

First of all, I want to thank Dr. Ann Cavoukian, Ontario’s Information and Privacy Commissioner, for acting as NAIDnotes’ guest blogger this past Tuesday. Dr. Cavoukian is one of the most highly regarded privacy and data protection professionals in the world and is the creator of the internationally recognized concept of Privacy by Design.  She has been a great advocate of secure destruction and friend to NAID for many years.

So, it’s Thursday and time for another NAIDnotes post.NAID staff is talking in the halls about their weekend plans. Personally, I am wondering whether I will have time to finish the neglected yard work this weekend.  But, with yet another Friday in the headlights, there’s another thought that crosses my mind: “What did I accomplish this week?”

Did I work on a long-range, strategic marketing initiative or was my time consumed reacting to immediate operational issues? Was I able to conclude a project that will pay dividends for years to come, or was I preoccupied with random interruptions and administrative functions?

True, I had a lot of meetings but meetings are not accomplishments in it of themselves. We all know that there is a lot of truth in the saying “too busy to make any money.”

So, while I sit here thinking about whether those shrubs are going to get trimmed, I also have to determine when - amid the flurry and bluster of running this organization - I will prioritize my schedule so I have the time to spend on strategic marketing projects. I have to schedule a time to create.

Most of life just happens to us. But if everything just happens to us, we are simply victims. The difference between real accomplishment and the illusion of achievement may just be the ability to insert thoughtful, purposeful, intentional results in a world that is otherwise largely out of our control.

By the way, there is no shame in asking for help, especially if you are a small business owner. In fact, it is quite the opposite, the value of such collaboration is immense. A trusted marketing adviser is worth their weight in gold, not only for their proven creative aptitude, but because he or she imposes the required discipline to the process.

Keywords:

Comments: 0 | Reply

Tuesday September 25, 2012

Privacy policy is not enough

By Ann Cavoukian, Ph.D., Information and Privacy Commissioner of Ontario

When a privacy breach occurs, it can be a nightmare for those affected and take years to rectify. Affected persons may be put at risk for identity theft and other deceptive practices, depending upon the nature of information disclosed. Your organization can also suffer irreparable damage to its reputation, and your bottom lines could also take a substantial hit if there is legal action.

Having a privacy policy cannot, by itself, protect personal information held by an organization.  That is why I have produced a new paper, “A Policy is Not Enough: It Must be Reflected in Concrete Practices,” a guide in effect, which outlines a proactive Privacy by Design approach to reducing the risk of privacy harm arising in the first place, while preserving a commitment to functionality. The seven-step action plan outlined in the paper can be used by organizations of any size, and from any sector, as practical guidance for effectively translating their privacy policies into privacy practices.

Privacy by Design, which was unanimously approved as an international framework for privacy protection in 2010, seeks to embed privacy into the design specifications of information technologies, organizational practices and networked system architectures, to achieve the strongest protection possible, as the default condition. Privacy by Design’s flexible, innovation-driven approach to achieving privacy can help to encourage your organization to both internalize the goal of privacy protection and seek out ways to achieve it.

It is important to develop education programs that begin with an orientation and remain current through ongoing training. Employees must learn about limitations placed on access to, and use of, personal information, and they need to know about the procedures to be followed if someone makes a request for personal information held by the organization. As well, each organization should designate a knowledgeable “go-to” person who can handle privacy-related questions and concerns. For larger organizations, I strongly recommend a Chief Privacy Officer be appointed.

Integrating compliance audits and informal reviews into your organization’s procedures will pre-emptively detect any new privacy challenges, and enable you to update your policies and procedures to deal with issues before a privacy breach occurs.

Despite your best-laid plans, there is still a chance that a breach will occur, and it is important to plan for this by ensuring you have a data breach protocol in place. This would allow you to act both quickly and effectively to meet the expectations of the public, consumers and regulators, and to preserve your organization’s reputation.

The most important point I want you to take away is that a policy is not enough – you have to put it into practice! This means you have to communicate it, educate your staff, and have measures in place to ensure that the policy doesn’t just sit on a shelf somewhere, but is translated into concrete actions.

 

Dr. Cavoukian will be speaking at the NAID-Canada Data Destruction Policy and Training Development Workshop in Toronto Oct. 18. For more information about the workshop, visit bit.ly/12NCWorkshops.

Keywords:

Comments: 0 | Reply

Thursday September 20, 2012

Barbarians at the gates: A perspective on barriers to entry

By Bob Johnson, NAID CEO

One of the challenges to the secure destruction business is the low barrier to entry. Of course, those getting into the business on a shoe string don’t complain, at least not at first. It is not until the new company has a customer base to protect that they wish it were a little harder for the guy down the street to put a down payment on a mobile shredding truck or for the scrap dealer on the south side of town to buy a shredder. Actually, it’s not even necessary to buy equipment. In every major market of the country there are still organizations providing secure destruction services that are simply intermediaries, moving the material on to a third party processor often without their customers’ expressed knowledge or permission. (From a regulatory perspective, doing this without customers’ knowledge or permission is not good.)

The point remains, meaningful, recognized barriers to entry are good for the health of legitimate, honest, established service providers and, in the long run, the health of the whole industry.

Over the weekend, I tweeted “Few barriers to entry are more effective than a solid client relationship. It's the top sales priority ... more so than growth,” and I truly believe that. (@BobatNAID) Having to defend an account after the fact, defensively and apologetically, is like digging yourself out of a hole. Customer loyalty needs to be an overt, strategic activity with multiple moving parts. It is a critical and primary barrier to entry. So, while the best things in life are free, it might be easier if you could through money at it. It is my experience that discipline and strategy are rare commodities compared to money in the secure destruction industry. (I hope you’re an exception.)

That being said, there are other meaningful barriers to entry. NAID AAA Certification is increasingly a barrier. While there is no way to verify it empirically, almost 1,000 NAID certified locations are responsible for approximately 75% of all the outsourced destruction services in the U.S. Although, NAID Certification has a long way to go, there is a real chance it could set a higher level of security and auditing that every service provider would need to meet.

There are other meaningful barriers to entry as well. Downstream Data Coverage, Certified Secure Destruction Specialist (CSDS) accreditation, the Customer Employee Training Program, and CTK, have proven to strengthen customer loyalty and offer a competitive advantage. Once in a while, a NAID member will suggest the association is making it more expensive to be in the industry. Ironically, those complaints are nowhere near as common as the complaints about the amount of unqualified, price-oriented competitors that continue to plague the marketplace.

Meaningful barriers to entry that serve the customer’s best interest should be embraced by legitimate secure destruction service providers. These barriers are the friend of any company serious about creating a healthy market for secure destruction services and a strong, profitable industry.

Comments: 0 | Reply

Tuesday September 18, 2012

Success is rooted in routine

By Bob Johnson, NAID CEO

A few years back I read a book that talked about how some companies get in “the zone.” Being in “the zone” meant that the company hit a point where success seemed easy, almost automatic. They had created a customer-generating machine. All they needed to do was turn it on.

I’ve occasionally seen this in the secure destruction industry and I’ve seen plenty of examples of the opposite as well. When I think about the companies in our industry that found the zone, I noticed they were very disciplined; in short, they found a recipe for success and built processes to replicate that success on a daily basis. These routines were in place for everything, from how to handle service inquiries to how community shred days were conducted.

Also, newsletter production was on a schedule and they had a system in place for developing a range of specific content. Their drivers knew the routine for making sure containers were completely empty and clean before they were put on the truck. Their company blogs had content posted every Tuesday about a predetermined set of topics aimed at providing customers and prospects valuable information. On the days industry business journals were published, they comb the pages to see what was happening with local businesses that might expose opportunities for their companies. They set a goal to hold one lunch ‘n’ learn every month at a prospective client’s office, and they had a system and timeline in place for make it happen. And, the reason they had monthly goals was because they understood their events must be manageable. You see, by definition, a process is something that has to be sustainable. It has to run like a machine.

However, none of what I just said means that these firms are incapable of reacting to unusual situations and opportunities. In fact, they have a process for reacting to unusual situations and opportunities.

If you think your firm lacks the routines and processes necessary to enter the zone, don’t get discouraged. Even if you’re a one-person operation, you can start by scheduling some time to develop proactive marketing, maybe starting a social media site or get involved in a local buying group organization. Your first routine may well be to build more routines. Once a month, pick a process you will put in place to improve an aspect of your operations or marketing goals.

In time, there is more than a good chance you will have a customer-generating machine; a machine operating will within the zone.

Keywords:

Comments: 0 | Reply

Thursday September 13, 2012

The true value of public speaking engagements

By Bob Johnson, NAID CEO

Universally, sales and marketing experts encourage those representing a business to actively seek public speaking engagements. They rightly point out that such educational presentations, where you show off your industry knowledge without overtly pushing your product, demonstrate to the audience that you are an expert and trusted resource in your field.

There is no disputing this fact but I believe too many people overlook the value of such speaking engagements. Let’s say for a minute a secure destruction specialist speaks to a local ARMA International chapter and about 40 people show up, half of them vendors. Then, there might be 20 prospects in the audience, your firm already services 10 and the other 10 are happy with their current destruction vendor.

At first blush, one might challenge the value of speaking engagement at that event. That would be a mistake, and here’s why.

Forget the audience for a moment. Think about the fact that the 60 percent of the chapter members who did not attend the event saw your name and company name highlighted as an expert on information destruction. Also, your company e-newsletter mentioned your appearance before and after the event. Potentially 2,000 or more local customers and prospects saw you and your company highly regarded by a local professional organization.

The actual message you conveyed to the ARMA chapter members at the event was good but, when played right, the ripple effect is enormous.

Remember, every public speaking event you do is an opportunity to hone your skills and build your confidence. The true value of a speaking engagement goes far beyond the chance to talk to a handful of event attendees.

Keywords:

Comments: 0 | Reply

Tuesday September 11, 2012

The fourth scenario: Referrals on steroids

By Bob Johnson, NAID CEO

If your secure destruction company is relying strictly on cold calling prospects for sales, you’re going to have a rough time growing your business. Obviously, it is much better to call prospects with which you have some connection, namely a referral or someone you met while networking. Even better yet, is a scenario in which prospects are calling you for solutions based on your reputation, expertise and community involvement. And finally, the rarest and most rewarding method is when a prospect calls and says something like “one of our biggest customers is requiring that we use your service.”

While some companies still cold call prospects, I am not going to waste a minute talking about why cold calls do not work. If you haven’t learned why yet, you probably are not reading much about sales theory. The most successful secure destruction sales and marketing efforts use the second and third scenarios described above. That’s great. Scenarios 2 and 3 are no doubt the sweet spot for the largest source of sustained growth for any company over time. That said, there are some tactics you can employ to exploit scenario 4, where the prospect is calling your company because it was strongly suggested they do so.

Most secure destruction companies have a big employer as a customer and, statistically, larger companies are more security conscious. Also, larger organizations utilize the services of lots of smaller companies with whom they share information. The thing is, while the large company may have a secure destruction program, they often don’t pay attention to the secure destruction programs of their smaller suppliers and subcontractors until you remind them, that is. 

I personally exploited this strategy with major clients in upstate New York more than 20 years ago. I contacted the security department to discuss their local downstream vendors’ secure destruction practices, and, cutting to the chase, ended with more than 200 new customers in less than six months.

Hospitals offer another opportunity for this type of top-down, push marketing. Think about it, any decent-sized hospital is surrounded by minor medical facilities that are affiliated with the mother ship. If you’re doing business with that hospital (and have a good working relationship), you owe it to them to explain these affiliates could be putting patients at risk and that risk could reflect poorly on the hospital.

I admit it is not a slam dunk. I admit it takes finesse and confidence. But it does work, and when it works, it can lead to a strong bump in sales and, in many cases, from prospects that don’t currently have services in place.

Keywords:

Comments: 0 | Reply

Thursday September 6, 2012

The case for getting your CSDS

By Bob Johnson, NAID CEO

As announced later today in NAIDDirect, training for the next round of Certified Secure Destruction Specialists (CSDS) examinations starts at the end of this month, marking the beginning of the third round of training and testing for the secure destruction industry’s only professional accreditation. 

With that in mind, I’ll take this opportunity to share my perspective on the program. Most readers have heard the saying, “He/she could sell an ice cube to an Eskimo.” I am not a big fan of that sentiment nor do I believe that approach to sales is effective.

Earning a CSDS does two things I believe are important for success in the secure destruction industry. First, it is a source of confidence. Nothing is a more effective persuader than confidence. Customers respond to confidence. When secure destruction professionals know the real value of secure destruction, vendor qualifications, NAID Certification, and legislation, it shows in the way they talk and write. Whether secure destruction professionals even talk about those things with prospects, they have the knowledge to conduct themselves more confidently.

The second benefit of earning a CSDS is that it provides context that helps industry professionals retain – and put into perspective – new industry information. It provides a knowledge foundation to which new information can be added. Without the base knowledge, new information has nothing to stick to. If there is no frame of reference, there is no way to interpret it. So, in providing this foundation, the CSDS better prepares industry professionals to integrate, understand and relate to their world.

The knowledge required to pass the CSDS examination is extensive and comprehensive. And, while the examination is challenging, close to 150 industry professionals have already successfully achieved it. It is said that the only way someone grows is by stepping outside their comfort zone. I urge you to challenge yourself. Passing the exam and maintaining the accreditation is a lot of work but so is anything worth achieving.

Keywords:

Comments: 0 | Reply

Tuesday September 4, 2012

Arm clients with reasons to keep your service

By Bob Johnson, NAID CEO

In my last two NAIDnotes entries, I discussed why you owe it to your clients to arm them with a justification for why they use your particular service. In the second installment, I explain what that justification should look like. In this third and final entry on the subject, I’ll discuss how to train them. The good news is it is pretty simple.

Hopefully my last entry got you thinking about what you want your clients to say about your services. Remember, it is your job to create a compelling one- or two-sentence reason that your firm was chosen. As the business owner, it is your primary job to formulate that reason. As I have said before, if you can’t articulate it, you’re in trouble.

Assuming you have developed this defense, or reason, for why they selected your firm, now you need to get it in front of your clients on a regular basis, using as many outlets as possible.

  1. When you meet with them to review the business, hand feed it to them. You could also provide the reason to them while at acknowledging them for proper disposal practices with something like the Secure Data Zone Certificate. Hypothetically, you could work your reason right into the certificate you provide.
  2. Send them a letter detailing the reason and use it in all correspondence. This correspondence can be a letter you write to welcome them as a new customer, an announcement or a note of appreciation. “Hi Mike, I just wanted to let you know how lucky your firm’s customers and employees are to have someone with your integrity protecting their information. By choosing Bob’s Data Destruction, you have a service that is not only NAID AAA Certified but also provides notarized certificates of destruction and the legally required employee training.” 
  3. Put the reason in your email signature, service orders and invoices as a tagline. “Bob’s Secure Destruction Services: Providing NAID AAA Certified destruction services and free employee training now required by law.” And, while you’re at it, integrate the message into your social media campaigns.

Remember, making sure your clients can defend why they selected your service is a favor to them. They are the people who look foolish when they do not have a good reason for using your service. Be their hero; give them what they need. It just so happens, it is the best thing you can do for your business too.

Comments: 0 | Reply

Thursday August 30, 2012

How customers can defend selecting you

By Bob Johnson, NAID CEO

In my last NAIDnotes entry, I explained why the biggest favor you can do for your customer and your company is to make sure the customer is prepared to articulate exactly why they are using your service. If you have not already, I suggest you review my last entry before reading further. Today I’ll talk about what such justification might look like and how it can be conveyed to the client.

If your contacts’ bosses were to suddenly say, “Hey, I know you have a shredding company already but my wife’s company uses a free service. Why are we paying?” Would your customers know what to say to defend using your service? If not, your whole business is based solely on the hope that the question never comes up. That is pretty scary. From my perspective, you owe it to your customers to make sure they can answer that question confidently and without hesitation.

There are two difficult tasks that factor into this challenge: providing an effective response to the question and then making sure your contact is aware of it. By the way, none of what I say in this post negates the importance of your company’s relationships with your customers. That is the minimum requirement. If they do not like and trust you, they will never try to defend selecting and keeping your service or product. In fact, arming your customer with the justification for using your service should actually improve that relationship. However, I am not implying this is a foolproof plan. This strategy is simply to increase the odds of protecting your accounts. 

How could your customers respond to their bosses’ question?

For example, “The current data protection regulations make us responsible for having a specific and thorough selection process of any third party company that will touch our information. Changing now, in a knee-jerk fashion would violate those regulations.” Depending on how confidently they say it, that could work, or at least buy some time. On the downside, this response is a little light on actual differentiators.

Although the above suggestion is sufficient, I prefer a response that is a little more concrete. For instance, “Since we are required by law to have defined criteria for selecting this type of vendor, we only looked at vendors that had the right certifications and the proper professional liability indemnifications. Our current vendor has everything we needed and at a fair price.” Another possibility is, “From a legal perspective, these vendors need specific qualifications. Besides that, our current vendor is providing free training that we are required to have anyway. If we had to pay for it, the cost would be enormous.”

There are two keys to developing the answer that will defend your firm. First, you need to identify the tangible and intangible things you bring to the table and, the more tangibles you have, the better. Second, you need to write it out. Your client needs to have it committed to memory, which means it will not work if it is just a general concept. It should be one or two sentences.

Since I am running long, next Tuesday I will write about how you teach your clients to defend choosing your service. In the meantime, think about what sentence or two you would provide your customers to defend selecting your firm to meet their destruction needs.

Comments: 0 | Reply

Tuesday August 28, 2012

Beyond good service and good manners

By Bob Johnson, NAID CEO

I read a book a few years ago called “The Ultimate Question,” which chronicles the ascent of Enterprise Rental Car from a backwater operation to the No. 2 spot in that arena.

In essence, the book maintained that Enterprise’s success resulted from hiring an outside service to contact customers asking one question about their experience, “Would you recommend us to a friend?” The premise was that managers’ and team members’ compensation, status, recognition, and promotions were tied to customers’ responses. It meant that managers and team members would work harder to make sure the customer experience was good enough that customers would recommend them to friends. In order to create a good customer experience that would result in a referral, agents concentrated extra hard on providing great service and being super polite.

After reading the book, I wondered if great service and being polite was really enough to ensure customer loyalty. And, even if it worked in the car rental business, how would it translate to secure destruction services?

Some readers know that among my many hats I wore while getting NAID off the ground, one was that of sales trainer. (Some readers may still have a copy of the 200-page sales training manual I wrote 20 years. ago.) I maintained then, as I do now, that the best favor you can do for your customer and yourself, is to make sure they can this statement, “We use this company for our destruction because …” 

In the months and weeks ahead, customers will inevitably be put in a position to defend that decision regularly. First, they will occasionally have to defend selecting your service to their boss. Think of the position you put your customers in if you have not given them proper ammunition or training. You have left them hanging in the wind and put the account at risk.

Secondly, and more frequently, they also have to defend their decisions to themselves. Every time they shut down a competitive offer, they silently ask themselves, “Why am I using my current vendor?” It’s a psychological principle called cognitive dissonance. The better they know why they are using your service, the easier it is for them to reject the advances of a competitor confidently. Every time they authorize that payment or sign that purchase order, they are silently asking themselves, “Why I am using this company?” Your job is to make sure they know the answer.

What about good service and good manners? Well, when put in a position to explain to a boss (or themselves) why they are paying you “X” when a competitor is offering “Y,” I seriously doubt that the response “they have excellent service and they are very polite” would get much mileage. You’d better get ready to pick up those containers.

Tune into NAIDnotes on Thursday to learn more about how you can arm your customers with responses that can effectively defend the customer’s decision to use your service.

Comments: 0 | Reply

Thursday August 23, 2012

Price increases are necessary in business

By Bob Johnson, NAID CEO

I often hear from NAID members that increasing prices is "impossible." However, price increases are not only possible, they are a necessary part of operating any business. That being said, when I bring up the necessity of monitoring and adjusting service charges to members they either say “yeah right, get real,” or turn pale.

These reactions are understandable. Most customers know there are many other service providers to meet their needs. They also know (or strongly suspect) many of those competitors would meet their existing price, if not lower it. Given these circumstances, a price increase might result in a lost customer. In tough times, this fear is magnified because customers are more likely to be sensitive to any increase.

While I agree this is a possibility, many NAID members overlook factors that can help them raise prices effectively or make marginal accounts more profitable.

  1. You do not have to raise prices indiscriminately, on all accounts, across the board. In fact, price increases are more effective if they are applied to accounts on a case-by-case basis following a systematic review of the profitability. Price increases should be ongoing. If the proposed adjustment sends the account shopping, it is much easier to deal with a few vulnerable accounts than a mass exodus. Plus, anything done indiscriminately sends a negative message to the customer. If done correctly and carefully, this fine tuning can actually strengthen that relationship.
  2. Increasing the profitability of an account can sometimes be achieved by adjusting the service scenario or route. Another benefit of reviewing account profitability annually is that the process can uncover changes in route density or service requirements that evolved over time. Throughout the months and years, accounts add, subtract, or move containers, which can affect not only the profitability of the account but the route as well. These changes can only be understood fully by evaluating the profitability of your accounts on a routine basis.
  3. Price increases should be factored into equipment acquisitions and upgrades. There are two ways price increases factor into the issue of equipment acquisitions. First, new more efficient equipment maybe the best strategy for increasing profitability. For instance, using a low production mobile truck can price you out of the market. On the other hand, if your company uses state-of-the-art equipment already, then adding capacity without analyzing the profitability of each account doesn’t make much sense either. There is no need to add equipment to serve unprofitable business. It is better to run the profitability analysis, make adjustments and then add capacity. In the unfortunate and unlikely event that a significant number of accounts leave, you may not need the additional capacity. I know that sounds horrible but that means the only reason the additional capacity was needed was to serve the customers that were already sucking profits.

Also, think about what the fear of talking about price says about your customer relations program. If metered and deliberate price adjustments are just too scary, chances are there is an even bigger problem with customer relations, which I will discuss in next Tuesday’s NAIDnotes.

Keywords:

Comments: 0 | Reply

Tuesday August 21, 2012

I wish you a worthy competitor

By Bob Johnson, NAID CEO

In today’s blog I am going to offer a perspective on competition that is often overlooked: the good side of competition.

Have you ever noticed at the end of a boxing match, especially where the two boxers really go at it, the boxers embrace and congratulate each other, win or lose? It is remarkable when you think about the trash talk before the match and how they stare each other down just before the bell. And, it is even more remarkable when you think that just minutes before they were trying to beat each other into unconsciousness.

I have come to believe that at the end of a long boxing match, where each guy gave his all after giving and taking a beating, there may be no two people on earth with more mutual respect for each other. They know what it took to get there. They know how much heart it took to stay in the fight. Of all the people in the arena, there is no one – not the trainer, not the announcers, and certainly not the audience – with whom they can relate more than their competitor.

There is another thing that brings them close too. Each boxer achieved his or her level of proficiency specifically to meet and hopefully overtake the threat of the other. In a very direct way, the competitor was the reason, his or her motivation, for pushing him or herself. If a professional boxer were to get in the ring with me, I promise he or she would not have felt the need to push himself in training.

This may sound strange but it is my wish for NAID members to have worthy opponents to motivate them to do and be their best. And, in kind, I would like their competitors to know they are dealing with a serious contender; a contender that has trained hard, will not quit, and understands the game.

In business as in sports, competition is the impetus for achieving excellence. It pushes leaders and companies to be better without which they would have certainly achieved less.

So, the next time you take one on the chin courtesy of a competitor, dust yourself off and remember it is simply the world’s way of pushing you to work harder and smarter. And, whatever degree of excellence you achieve, you owe it to the fact that you had a worthy competitor.

Comments: 0 | Reply

Thursday August 16, 2012

Data protection laws require due diligence

By Bob Johnson, NAID CEO

It is illegal to select a data destruction service provider on price alone. So what qualifications should you use to select a vendor? In my last blog post, I wrote about the principle of “reasonableness.” I want to continue that theme in today’s posting, specifically looking at data-related vendor selection.

Without exception, data protection regulations put a special burden on data controllers – those originally entrusted to protect personal information – when they are selecting downstream vendors. After all, customers have a choice when selecting their primary data controller (e.g., banks, hospital, insurance company), but they have no say in who those organizations select to store, scan or destroy data. Customers simply have to rely on the hope that the data controller will select a competent service provider.

As a result, data protection laws have a number of provisions to promote such diligence on the part of the original data controller. First, they do not allow the data controller to pass on the regulatory liability to protect the data to the downstream service provider. While the regulators understand that the use of such subcontractors is a modern day necessity, they hold the data controller responsible for the actions of those vendors, as described in this excerpt from the “Proposed Modifications to HIPAA under HITECH.”

“…The covered entity remains liable for the acts of its business associate agents, regardless of whether the covered entity has a compliant business associate agreement in place. This change is necessary to ensure, where the covered entity has contracted out a particular obligation under the HIPAA rules, that the covered entity remains liable for the failure of its business associate to perform that obligation on the covered entity’s behalf.”

Similar provisions appear in all major data protections laws currently enforced around the world. To be clear, the data controller may, and often does, assign financial responsibility to the downstream vendors for financial damages they cause. However, they cannot pass on the responsibility. For example, if service provider causes a data breach notification event, their only responsibility under the law is to inform the data controller. The data controller is responsible for making and paying for the actual breach notification.

But that is not the only way data protection laws ensure data controllers keep their eye on the ball. The laws make it illegal to select a vendor without doing the proper due diligence. This excerpt from the Security and Exchange Commission’s Regulation S-P is typical.

“…The ‘reasonable measures’ standard will generally require the covered entity to take reasonable steps to select and retain a service provider that is capable of properly disposing of the consumer report information at issue.”

If space is permitted, similar language could be taken from virtually every other data protection law in the world.

In reality, the only time a data controller is likely to be found at fault for not properly evaluating its downstream data processors is when there is a breach. In that regard, it is very much like the seat belt law where the perpetrator is pulled over for a different violation when it is discovered.

Still, in nearly every investigation that follows a data breach, regulators find it was caused by lack of due diligence in policy development, training, or vendor selection and, usually, the fine is predicated more on the lack of due diligence than it is on the breach itself. Exercising your due diligence will protect you in the long run.

Comments: 0 | Reply

Tuesday August 14, 2012

The role of reasonableness in data protection compliance

By Bob Johnson, NAID CEO

Compliance with some regulations is determined by very objective, clear requirements. For instance, in the U.S. you must pay your personal taxes by April 15. If you don’t (without filing an extension), you have broken the law. Period. However, with other regulations like data protection regulations, compliance is determined by the principle of “reasonableness.” They require organizations take reasonable steps to fulfill the requirements. 

Some data protection laws require organizations prevent unauthorized access, as is the case with the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act (GLBA) of 1999 (Financial Modernization Act of 1999), and the European Data Protection Directive. In other instances, they specify the destruction discarded personal information, as is the case with the Final Disposal Rule of the Fair and Accurate Credit Transactions Act of 2003 (FACTA) or Regulation S-P of the GLBA. Either way, compliance is determined by the reasonableness of precautions.  

The advantage of this approach is that it allows flexibility in compliance strategies for many types and sizes of organizations that have varying needs and resources. However, some people suggest that allowing every organization to determine what is reasonable is a weakness. But, in fact, the reasonableness approach actually challenges an organization to put a lot of thought into their particular compliance strategy. You see, while the organization must determine what it reasonable for themselves, they are not the final judge. In the event of an audit or data breach, the final judge of what is reasonable is the regulator. The challenge is developing a reasonable approach to compliance that reflects what regulators consider reasonable. The good news is those regulators have provided plenty of guidance.

Reasonable approaches and responses to data protection laws include creating written data protection policies and procedures and providing training to employees. Or, stated another way, not having written data protection policies and training programs would be considered unreasonable and, therefore, noncompliant. Also, not having a written selection criteria and process for hiring data-related vendors would be considered by regulators as unreasonable and noncompliant.

The lack of written policies, employee training and vendor selection criteria remain the weakest links in most data destruction practices. In the last few years, virtually every one of the thousands of data breach investigations ultimately exposed one or more of these critical shortcomings, which usually constituted severe consequences and large fines. Therefore, when reviewing the data protection laws, remember to determine what is reasonable for your organization to remain compliant and safe from penalty.

Comments: 0 | Reply

Thursday August 9, 2012

Remembering what NAID is all about

By Bob Johnson, NAID CEO

NAID has one mission: to promote the proper destruction of discarded information by outsourcing to a qualified service provider. That’s it. In service of that mission, NAID engages in a wide range of activities such as producing publications, holding conferences, commissioning research, speaking at industry events and advocating for regulations.

The concept is anything but new or unique. Every industry worth its salt has a trade association made up of organized industry professionals and companies. There are things that need improving in the industry that can only be done by pooling resources and concentrating expertise. 

Of course, nothing happens without economic resources and the source of those resources fall into two major categories: membership dues and programs. Usually, only about 30 percent of trade associations’ revenue comes from membership dues and NAID is no exception. The rest comes from initiatives and programs like certification, conferences, sales tools and advertising sales. 

Often there are for-profit organizations within an industry that offer these same things. The difference, however, is that those companies put the profits in their pocket. NAID gives them back to the industry and the IRS makes sure of it. And, in a very legal sense, members must be solely in charge of determining the association’s goals and how that money is spent.

Here are three principles I would like members to keep in mind:

  1. It is simply inaccurate to think of NAID as anything other than a collection of your colleagues. For the most part, the board is made of companies just like yours and they want the same things you do. You might not agree with every decision these 13 colleagues make but nevertheless they are your representatives. Often, they even disagree with each other. But that’s just how things work in the real world.
     
  2. Whether you are a service provider or a vendor, every penny you have given to NAID went toward activities and projects to promote the industry. Only about 30 percent goes to pay NAID’s 12 full-time staff members – an acceptable association norm. But even then, everyone one of those people come to work every day to execute the directives of the board of directors, who themselves are simply acting under the authority of the membership who elected them. 
     
  3. Since NAID is just a collection of destruction service providers, industry vendors who support NAID are actually supporting the service providers’ customers. There are several other, very good, for-profit promotional outlets, none of which turn their profits to the betterment of your business. Please keep this in mind, and whenever you get the chance, thank those vendors who continue to support your trade association and your business.
Keywords:

Comments: 0 | Reply

Tuesday August 7, 2012

Welcome to NAIDnotes

By Bob Johnson, NAID CEO

According to Dictionary.com, a “blog” is a website containing a collection of writer’s or group of writers’ own experiences, observations, opinions, etc., and often having images and links to other websites.

While at face value blogging seems like just another content generator, I’ve come to learn it means a lot more. It blurs the line between social media and conventional websites, magnifying the benefits of both to be more than the separate parts. 

Blogs amplify the “clout” of social media platforms while dramatically boosting the search engine results of their website hosts. Blogs give their source the highest potential to put meaningful, persuasive information in front of any person on the planet who might be looking for it.

But there is still an inescapable reality – true of all content from the beginning of the written word – it only works if it is valuable.

Over the coming weeks, months, and years, I, other NAID staff members, and guest bloggers will do their best to bring useful insights and perspectives on a wide array of issues relevant to NAID members, the world of secure destruction, vendor qualifications, and data protection. Through the NAID website, social media platforms, and printed publications, we’ll endeavor to attract a broad spectrum of readers who are not only industry participants but also policymakers, privacy and security professionals, and records managers.

I invite you to visit this blog regularly. We have a lot in store for NAIDnotes readers so stay tuned and remember to leave comments to keep the discussion going.

Comments: 2 | Reply

   John Barwick, III    August 17, 2012 1:15 pm | Reply | 0 Agree | Flag Abusive

Congratulations on starting a blog! I have set a Google Alert to tell me whenever new content has been added to this page. I will help share the valuable content that you provide through this blog.

Return to Current Blog | Select Another Blog Archive